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Abstract: A Multi-hop Control Network (MCN) consists of a plant where the communication 
between sensor, actuator and computational unit is supported by a wireless multi-hop com- 
munication network, and data flow is performed using scheduling and routing of sensing and 
actuation data. We address the problem of characterizing controllability and observability of 
a MCN, by means of necessary and sufficient conditions on the plant dynamics and on the 
communication scheduling and routing. We provide a methodology to design scheduling and 
routing, in order to satisfy controllability and observability of a MCN for any fault occurrence 
in a given set of failures configurations. 

Keywords: Control over networks; Control of networks; Networked embedded control systems. 



1. INTRODUCTION 

Wireless networked control systems are spatially dis- 
tributed control systems where the communication be- 
tween sensors, actuators, and computational units is sup- 
ported by a shared wireless communication network. Con- 
trol with wireless technologies typically involves multiple 
communication hops for conveying information from sen- 
sors to the controller and from the controller to actuators. 
The use of wireless networked control systems in industrial 
automation results in flexible architectures and generally 
reduces installation, debugging, diagnostic and mainte- 
nance costs with respect to wired networks. The main 
motivation for studying such systems is the emerging use of 
wireless technologies in control systems (see e.g., Akyildiz, 
I.F. and Kasimoglu, I.H. (2004), Song et al. (2008a), Song 
et al. (2008b)). 

Although multi-hop networks offer many advantages, their 
use for control is a challenge when one has to take into 
account the joint dynamics of the plant and of the commu- 
nication protocol. Wide deployment of wireless industrial 
automation requires substantial progress in wireless trans- 
mission, networking and control, in order to provide formal 
models and verification/design methodologies for wireless 
networked control system. The design of the control system 
has to take into account the presence of the network, as 
it represents the interconnection between the plant and 
the controller, and thus affects the dynamical behavior 
of the system. Using a wireless communication medium, 
new issues such as fading and time-varying throughput 
in communication channels have to be addressed, and 
communication delays and packet losses may occur. More- 
over analysis of stability, performance, and reliability of 
real implementations of wireless networked control systems 
requires addressing issues such as scheduling and routing 
using real communication protocols. 
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While most of the research on networked control systems 
is on direct networking, we focus on multi-hop networks. 
In Section 2 we relate our research to the existing scien- 
tific literature on Networked Control Systems. In particu- 
lar, the modeling and stability verification problem for a 
MIMO LTI plant embedded in a multi-hop control network 
(MCN) when the controller is already designed has been 
addressed in Alur et al. (2009). A mathematical framework 
has been proposed, that allows modeling the MAC layer 
(communication scheduling) and the Network layer (rout- 
ing) of the recently developed wireless industrial control 
protocols, such as WirelessHART (www.hartcomm2.org) 
and ISA-100 (www.isa.org). The mathematical frame- 
work defined in Alur et al. (2009) is compositional, namely 
it is possible to exploit compositional operators of au- 
tomata to design scalable scheduling and routing for mul- 
tiple control loops closed on the same multi-hop control 
network. 

In this paper, starting from the mathematical framework 
developed in Alur et al. (2009), we address the novel 
issue of characterizing controllability and observability of a 
continuous-time SISO LTI plant embedded in a MCN that 
implements scheduling and routing protocols, and where 
failures of communication links may occur. We motivate 
the exploitation of redundancy in data communication 
(i.e. sending sensing and actuation data through multiple 
paths) with the aim of rendering the system robust with 
respect to link failures (e.g. when the battery of a node 
discharges or a communication channel goes down), and 
to mitigate the effect of packet losses (e.g. transmission 
errors). 

In Section 3 we extend the model in Alur et al. (2009) to 
model redundancy, by defining a weight function that spec- 
ifies how the duplicate information transmitted through 
the multi-hop network is merged, and by defining a seman- 
tics of the redundant data flow through the network. Of 
course, all results stated in this paper also apply to MCN 
that do not exploit redundancy. We remark that the differ- 
ences introduced in this paper with respect to the model 



in Alur et al. (2009) do not invalidate compositionality of 
the framework. 



and routing communication protocols, in order to enable 
co-design of controller, scheduling and routing. 



As a first result of this paper, given a MCN, we state 
in Section 4 necessary and sufficient controllability and 
observability conditions on the plant dynamics and on the 
scheduling and routing of the communication network. 

As a second result, given a MCN and a set of failures 
configurations of the communication nodes, we state in 
Section 5 necessary and sufficient conditions on the plant 
dynamics, on the scheduling and routing of the communi- 
cation network, and on the set of failures configurations, 
such that there exists a scheduling and routing configura- 
tion that guarantees reachability and observability condi- 
tions of the MCN for each failures configuration. Since we 
adopt a constructive proof, we provide a methodology to 
configure scheduling and routing of a MCN, in order to 
satisfy controllability and observability of the closed loop 
system for any fault occurrence in a given set of failures 
configurations. 

In Section 6 we apply our results, combined with fault 
detection and hybrid observer techniques, in order to per- 
form co-design of control algorithms and communication 
parameters for stabilizing MCN where failures of links 
occur. 

2. RELATED WORK 

There exists a wide literature on Networked Control Sys- 
tems, see for example Zhang et al. (2001), Walsh, G.C. 
and Ye (2001), Antsaklis and Baillieul (2004), Hespanha, 
J. P. et al. (2007) and references therein. The literature 
on robust stability of networked control systems (see e.g. 
Lin et al. (2003), Cloosterman et al. (2006), Shi et al. 
(2006)) generally addresses stability analysis in presence 
of packet loss and variable delays, but does not take 
into account the non-idealities introduced by scheduling 
and routing communication protocols of multi-hop con- 
trol networks. When relating our paper with the current 
research about the interaction of control networks and 
communication protocols, most efforts in the literature 
focus on scheduling message and sampling time assignment 
for sensors/actuators and controllers interconnected by 
wired common-bus networks, e.g. Astrom and Wittenmark 
(1997), Walsh, G.C. et al. (2002), Yook, J.K. et al. (2002), 
Tabbara and Nesic (2007), Tabbara et al. (2007). The au- 
thors in Witrant et al. (2007) use model predictive control 
to stabilize a plant over a multi-hop control network, by 
only considering delay introduced by the routing policy. 

However, what is needed for modeling and analyzing 
control protocols on multi hop control networks is an 
integrated framework for analysing/co-designing network 
topology, scheduling, routing, transmission errors and con- 
trol. To the best of our knowledge, the only formal model 
of multi-hop wireless sensor and actuator networks is re- 
ported in Andersson et al. (2005). In this paper, a simu- 
lation environment that facilitates simulation of computer 
nodes and communication networks interacting with the 
continuous-time dynamics of the real world is presented. 
The main difference between the work presented in An- 
dersson et al. (2005) and this work is that here we provide 
results on a formal mathematical model that takes into 
account plant dynamics and scheduling-routing dynamics. 

At the best of our knowledge, our work is pioneering in 
addressing the controller design problem for multi-hop 
control networks that implement standardized scheduling 



3. MODELING OF MCNS 

The challenges in modeling multi-hop control networks are 
best explained by considering the recently developed wire- 
less industrial control protocols, such as WirelessHART 
and ISA-100. These standards allow designers of wireless 
control networks to distribute a synchronous communica- 
tion schedule to all communication nodes of a wireless net- 
work. For each working frequency, time is divided into slots 
of fixed time length A (see Figure 1). A periodic scheduling 
composed by II time slots allows each node to transmit 
data only in a subset of time slots and frequencies, i.e. 
a mixed TDMA and FDMA MAC protocol is used. The 
standard specifies a syntax for defining schedules and a 
mechanism to apply them. However, the issue of designing 
schedules and routing remains a challenge for the engi- 
neers, and is currently done using heuristic rules. To allow 
systematic methods for designing schedules that preserve 
controllability and observability of a plant, a mathemat- 
ical model of the effect of scheduling and routing on the 
control system is needed. The MCN model we propose 
in this paper allows modeling multi-hop control networks 
that implement the protocols WirelessHART and ISA- 
100, but it is much more general: it allows modeling gen- 
eral routing and scheduling communication protocols that 
specify TDMA, FDMA and/or CDMA access to a shared 
communication resource, for a set of communication nodes 
interconnected by an arbitrary radio connectivity graph. 
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Fig. 1. Time-slotted structure of the scheduling period. 

Definition 1. A SISO Multi-hop control network (MCN) 
is a tuple Af = {V, Qr, Viz, Go,Vo,A) where: 

• V = (A, B, C) models a plant dynamics in terms of 
matrices of a continuous-time SISO LTI system. 

• Qr = {Vfii En, W-r) is the controllability radio con- 
nectivity acyclic graph, where the vertices correspond 
to the nodes of the network, and an edge from v\ to 
Vi means that w 2 can receive messages transmitted by 
v\ through the wireless communication link (vx^v-i). 
We denote v c the special node of Vr that corresponds 
to the controller, and v u £ Vr the special node that 
corresponds to the actuator of the input u of V. The 
weight function Wr : Er — > R + 1 associates to each 
link a positive constant. The semantics of Wr will be 
clear in the following definition of r\R. 

• t\r: {1, . . . , n} — > 2 E ^ is the controllability commu- 
nication scheduling function, that associates to each 
time slot k 6 {1, . . . , n} a set of edges of the controlla- 
bility radio connectivity graph. The integer constant 
n is the period of the reachability communication 
scheduling. The semantics oir]R is that (v%, v 2 ) G 

if and only if at time slot k the data content of the 
node v\ is transmitted to the node v 2 , multiplied for 
the weight Wr(vi,v 2 ). 



We denote by R+ the set of strictly positive reals 



• Go = (Vo,Eo,Wo) is the observability radio con- 
nectivity acyclic graph, and is defined similarly to 
Gn- We denote with v c the special node of Vq that 
corresponds to the controller, and v y G Vq the special 
node that corresponds to the sensor of the output y 
of V. 

• rjo- {1,...,II} — > 2 E ° is the observability commu- 
nication scheduling function, and is defined similarly 
to We remark that II is the same period of the 
controllability scheduling. 

• A is the time slot duration. 

We assume that each link can be scheduled only one time 
for each scheduling period. This does not lead to loss of 
generality, since it is always possible to obtain an equiv- 
alent model that satisfies this constraint by appropriately 
splitting the nodes of the graph, as already illustrated in 
the memory slot graph definition of Alur et al. (2009). 
We define a connectivity property of the controllability 
and observability graphs with respect to the corresponding 
scheduling. 

Definition 2. Given a controllability graph Gn and schedul- 
ing ijiz, we define Gn(vn(k)) the sub-graph of Gn induced 
by keeping the edges scheduled at time k. We define 
n 

Gnivn) = U Gn(rin(k)) the sub-graph of Gn induced 

k=l 

by keeping the union of edges scheduled during the whole 
scheduling period II. 

Definition 3. We say that a controllability graph Gn is 
jointly connected by a controllability scheduling rjn if and 
only if there exists a path from the controller node v c to 
the actuator node v u in Gn(vn)- We denote by D-r the 
length of the longest path connecting v c to v u in Gnivn)- 

The above definitions can be given similarly for observ- 
ability graph Go an d scheduling r\o- 

The semantics of a MCN M can be modeled by the 
interconnection N of blocks as in Figure 2. The block 
Pt is characterized by the transfer function Pt{z) of 
the discrete-time plant Pt, obtained by discretizing 
P(s) = C(sl - Ay 1 B with sampling time T — IIA 
equal to the scheduling period duration. The block Gn 
models the dynamics introduced by the data flow of the 
actuation data through the network Gn according to the 
applied controllability scheduling i]n- In order to define 
the dynamical behavior of Gn, we need to define the 
semantics of the data flow through the network, according 
to the scheduling rjn . We associate to the controller node 
v c a real value p c (kT) at time k, and we assume that 
v c is periodically updated with a new control command 
at the beginning of each scheduling period and holds this 
value for the whole time duration of the scheduling period. 
Formally, p c (kT) = u(kT). 

The dynamics of the other nodes needs to be defined at 
the level of the time slots. We associate to each other node 
«j £ Vr \ {v c } a real value Pij(h) at time slot h, for each 
node Vi belonging to the set inc(vj) = {v G Vr : (v, Vj) G 
E-r} of edges incoming in Vj. Formally: 

Vji h ) = fcj'W 

ViGinc(vj) 



2 With abuse of notation, we denote v c both for Qji and Qq: this will 
not lead to confusion, since it will be always clear from the context 
whether we will be considering the controller node of Qji or Qq 



is the sum of the variables associated to node Vj in the time 
slot h. When the link from Vi to Vj is scheduled at time 
slot h, the variable of node vj is updated with the sum 
of the variables of node Vi multiplied for the link weight 
Wn(vi, Vj). Formally, for each Vj G Vr \ {v c } and for each 
time slot h G {1, . . . , II}: 

T . (h , n _ / fii,ji h ) it(vi,Vj) (£r)n(h), 

^ n + L > - \ Wn(vi,Vj)iH(h) if (vi,Vj) e m (h). 

Finally, the actuator node v u periodically actuates a new 
actuation command at the beginning of each scheduling 
period on the basis of its variable p, u , and holds this 
value for the whole time duration of the scheduling period. 
Formally: 

u(fcT) = Hu{kT) = ^A kT )- 

vi £inc(v u ) 

On the basis of the semantics defined above, it is possible 
to model the dynamical behavior of Gn as follows. 

Proposition 1. Given Gn and r]n, the block Gn can be 
modeled as a discrete time SISO LTI system with sampling 
time equal to the scheduling period duration T — IIA, and 
characterized by the following transfer function: 

Gn(z) = J2^, jn(i)= E w *0>), 

where Vi e {1, . . . , D n ^}, ln {i) e K+ U{0}, jn(Dn) ? 

Proof: We need to characterize the dynamics of u{kT) = 
H u {kT) with respect to u(kT) — /j, c (kT). Let \n be the 
set of all simple paths of Gnivn) starting from v c and ter- 
minating in v u . We remark that, since Gn is acyclic, then 
Xn is a finite set. Given any path p — v c ,vi, . . . ,v n ,v u G 
Xn-i with n G {0, ...,D-r — 1}, we define Wn(p) = 
W^(v c ,vi)W^(vi,V2)---Wfi(vn-i,v n )Wn(vn,v u ) as the 
product of the weights of the edges of p. During each 
scheduling period, each path p G xn provides an up- 
date of the variable of node v u given by p u (kT) = 
Wn(p)p c ((k — 5n(p))T), where 8n{p) is the delay intro- 
duced by p in terms of scheduling periods. We show how 
to compute Sn(p)- 

Consider a path p = v c ,v\, . . . ,v n ,v u G xn with length 
\p I = n + 1, and assume that the links are scheduled in 
the same order of the path (as in r/' K of Example 1), i.e. 
(v c ,vi), {vi,v 2 ), ■ ■ ■ , (v n -i,v n ), (v n ,v u ). In this case, the 
information stored in v c is conveyed to v u with a delay 
of just one scheduling period. 

Assume now that links are scheduled in the opposite order 
(as in 77^ of Example 1), i.e. (v n ,v u ), (u„_i,u„), • • • , (vi,v 2 ), 
(v c ,vi). In this case, the information stored in v c is con- 
veyed to v u with a delay of \p\ scheduling periods. 

It is easy to show that, given any other scheduling and 
using the same reasoning, it is possible to determine the 
delay of scheduling periods 6n(p) introduced by the path 
p applying the scheduling tj-r. It is also easy to verify that 

1 < 5n{p) < \p\ < D n- Define xn{i) = {p & Xn ■ Snip) = 
i} the set of all paths that, by applying the scheduling 
r/n, introduce a delay of i scheduling periods to convey 
the information stored in v c to v u . We remark that the set 
{Xn{i)}^i is a partition of xn- 

It is possible to show by induction, starting from the nodes 
adjacent to v c up to the node v u , that at the end of a 
scheduling period each node v u contains the sum of the 
contributions of all paths starting from v c and terminating 



Fig. 2. MCN interconnected system. 



in v u . Thus, at the end of each scheduling period, the 
variable associated to the actuator node v u contains the 
sum of the contributions of all paths p G XW- 

D-r. 

f, u (kT) = J2 E W n {p)Li c {{k-i)T). 

Since u(kT) = (i v (kT) and u{kT) = /J, c (kT), the following 
holds: 

i=i " pex-R(i) 

If xn{i) — then 77^,(1) = 0, otherwise 77^(7) > because 
Wu is positive definite. Thus Mi 6 {1, Dr}, 77^(7) 6 
R+ U {0}. This completes the proof. ■ 
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Fig. 3. Transfer function of the MCN interconnected 
system. 

On the basis of the above reasoning, it is possible to model 
the semantics of a MCN M as in Figure 3, where each block 
is a discrete time SISO LTI system with sampling time 
equal to the scheduling period duration, characterized by 
the transfer functions G-r(z), Pt(z) and Go(z). 

The following example motivates the use of redundancy in 
MCNs characterized by failures in links. 

Example 1. Consider a MCN N\ = (V, Gn, Viz, Go, Vo, A). 
We remark that, since we are addressing controllability 
analysis, we do not consider the effect of observability 
radio connectivity graph and scheduling. V = (A, B, C) 
represents a continuous-time SISO LTI plant characterized 
by the following transfer function: 

p( s ) = i 

W (s 2 - 69.31s + 25880)(s 2 + 24670) ' 

We consider a single-path scenario for the controllability 
radio connectivity graph Giz as shown in Figure 4, where 
v c = v\ and v u = 7J3. Let us define two schedules on Gn, 
which convey actuation data from v c to v u : we define 77^ 
as the string ({(vi, ^2)}, {(«2> u 3)}}> an d 77^ as the string 
({(v2,V3)},{(vi,V2)})- Both scheduling have period II = 2. 
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Fig. 4. Single-path scenario graph Gn- 



Fig. 5. Single-path scenario interconnected system. 

Let A be the duration in seconds of a single time slot of 
the scheduling, for example 10 ms as in WirelessHART: 
then the duration of the whole scheduling period is given 
by T = IIA = 2 • 10 ms = 20 ms. If we apply -q' n , the 
block G-ji introduces a delay equal to 1 scheduling period, 
i.e. u(kT) — u((k — 1)T). In fact, using ry^, the value of u 
is conveyed first to v 2 and then to v 3 in just one scheduling 
period. Thus, the block G-jz is characterized by the transfer 
function G-ji(z) — -. 

If we apply 77^, the block G-r introduces a delay equal to 2 
scheduling periods, i.e. u{kT) = u((k — 2)T). In fact, using 
77^, the value of u is conveyed to v 2 in the first period, 
and to 7J3 in the second period. Thus, the block G-n is 
characterized by the transfer function Gn(z) = 

It is easy to verify that, in both cases, the cascade M of 
systems G-ji and Pt shown in Figure 5 always satisfies the 
controllability condition because Giz(z) does not have any 
zeros, so its interconnection to Pt{z) can not introduce 
any pole cancelation. However, if one of the links of Gn is 
damaged, then Gn(z) = and the MCN does not satisfy 
the controllability condition. Moreover, an error in one of 
the data transmissions between v±, V2 and V3 is totally 
transferred to the input of the plant. □ 

The above example motivates the exploitation of redun- 
dancy, for instance by sending control data through multi- 
ple paths in the same scheduling period and then merging 
these components in the actuator node. We call this ap- 
proach redundancy by static multi-path routing. An alter- 
native is sending control data through a single-path (route) 
for each scheduling period, and dynamically updating this 
route in order to avoid faulty nodes in the new route. 
We call this approach redundancy by dynamic single-path 
routing. At the best of our knowledge, although there exist 
several algorithms for static (e.g. Dijkstra and Bellman- 
Ford) and dynamic routing Ash (1997) of multi-hop net- 
works, none of them have been designed to address control 
specifications. In this paper, we only address the problem 
of designing redundancy by static multi-path routing, in 
order to preserve controllability and observability struc- 
tural properties of a MCN. 

The Pros of applying redundancy by static multi-path 
routing are the following: first, controllability of the MCN 
is robust to failures of links; and second, the effect of 
data transmission errors on a single link is alleviated when 
averaging all the components received from the multiple 
paths. It is worth to remark that, although protocols such 
as WirelessHART and ISA-100 are oriented to single-path 
routing (i.e. sensing and actuation data are sent to the 
controller via a unique path of wireless nodes) , it is possible 
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Fig. 6. Multi-path scenario graph Qj^. 

to implement redundancy of sensing and actuation data by 
appropriately defining the scheduling in order to achieve 
multi-path routing. 

The Cons of redundancy by static multi-path routing are 
the following: first, it increases data traffic in the network, 
but this is a necessary investment to improve robustness 
with respect to link failures when we apply static rout- 
ing; second, sending control data through multiple paths 
and then merging them in the actuator node generates 
dynamics that might invalidate controllability conditions, 
as illustrated in the following example. 

Example 2. Let define a MCN Af 2 = (V, Qn, Vn, Go, Vo, A). 
As above, we do not consider the observability radio con- 
nectivity graph and scheduling. V = (A, B, C) represents 
a continuous-time SISO LTI plant characterized by the 
transfer function P(s) adopted in the previous example. 
We consider a multi-path scenario for the controllability 
radio connectivity graph Q-ji as shown in Figure 6 where 
v c = vi and v u = v 7 . Differently from the controllabil- 
ity graph of Example 1, in this case some nodes receive 
actuation data from multiple links. We define the weight 
function Wn so that all nodes equally weight the contri- 
bution of each incoming link. 

Let us define three schedules on Qn, which convey actua- 
tion data from v c to v u using multiple paths: 

Vn = ({(vi,v 2 ), (vi,v 3 ), (v!,v 4 ), (v 2 ,v 5 ), (v2,v 7 ), (v 3 ,v 5 ), 
(v 3 ,v 6 ), (v 3 ,v 7 ), (v 4 ,v 6 ), (V4,v 7 ), (v 5 ,v 7 ), (v 6 ,v 7 )}), 

VtZ = ({{V1,V 2 ), {V1,V 3 ), (VX,V4,)},{(V2,V&), (v 2 ,V 7 )}, 

{(v 3 ,v 5 ), (v 3 ,v 6 ), (v 3 ,v 7 )},{(v 4 ,v 6 ), (v 4 ,v 7 )}, 

{( V 5,V 7 )},{( V 6, V 7)}), 

Vn = ({( v i,V2), (vi,v 3 ), (wi,w 4 ), (v5,v 7 ), (v 6 ,v 7 )},{(v 2 ,v 5 ), 
{v 2 ,v 7 ), (v 3 ,v 5 ), (v 3 ,v 6 ), (v 3 ,v 7 ), (v 4 ,v 6 ), (v 4 ,v 7 )}). 

The scheduling have periods IP = 1, H b = 6, and IF = 2. 
Let A = 10 ms as above: then the durations of the 
scheduling periods are given by T a = 10 ms, T b = 60 ms, 
and T c = 20 ms. 

Scheduling a consists of only one time slot, where all 
nodes transmit simultaneously. This is a corner case, that 
is realistic e.g. if the MAC layer of the communication 
protocol implements CDMA. The scheduling a produces 
the following dynamics for u(kT a ): 

u(kT a ) = lu{{k - 2)T a ) + lu{{k - 3)T a ). 
5 5 

Note that a delay of 2 scheduling periods of n\ corresponds 

to an actuation delay of 2 • T a = 20 ms. 

Scheduling b consists of 6 time slots: in each time slot only 
one node transmits and the other nodes receive. This is 
also a corner case, that is realistic when the communication 
protocol implements TDMA (i.e. only one node is allowed 
to transmit for each time slot). The scheduling b produces 



the following dynamics for u(kT b ): 

u{kT b )=u((k-l)T b ). 

Note that a delay of 1 scheduling period of rf^ corresponds 
to an actuation delay of 1 • T b — 60 ms. 

Scheduling c consists of 2 time slots: in the first time slot 
only nodes V\, v§ and vg are allowed to transmit, since they 
are assumed not to interfere each other; in the second time 
slot only nodes v 2 , v 3 and v 4 are allowed to transmit. This 
scheduling is a tradeoff between scheduling a and b, and 
is realistic when the communication protocol implements 
mixed TDMA and FDMA. The scheduling c produces the 
following dynamics for u(kT c ): 

u{kT c ) = -u((k - l)T c ) + -u((k - 2)T C ). 



Note that a delay of 1 scheduling period r/^ corresponds 
to an actuation delay of 1 • T c = 20 ms. 

As a comparison to the single-path scenario of Exam- 
ple 1, we can conclude that adding redundancy generally 
increases the actuation delay of the control input, and thus 
worsen responsiveness of the control algorithm. The only 
case when the actuation delay does not increase is when we 
dispose of a multi-hop network that allows simultaneous 
transmission of all links (scheduling a, e.g. using CDMA, 
T a = 10 ms). Unfortunately, this is not generally the 
case for current specifications for wireless networks, e.g. 
WirelessHART and ISA-100 do not admit CDMA. 

In the worst scenario, only one node can transmit data 
for each time slot (scheduling b, e.g. using TDMA, 
T b = 60 ms). In this case, the actuation delay strongly 
increases, in contrast with the requirement of designing 
responsive control algorithms. In typical industrial scenar- 
ios, as illustrated in D'Innocenzo et al. (2009), if we do 
not admit simultaneous transmission of two nodes then 
it is not always possible to design a scheduling that sat- 
isfies constraints on the actuation delay guaranteeing the 
achievement of control specifications on the closed loop 
system. 

For this reason, we choose a scheduling that allows mul- 
tiple transmissions on a subset of links, which do not 
interfere each other (scheduling c, e.g. using TDMA and 
FDMA, T c = 20 ms). The schedule c has the advantage 
of introducing redundancy and only moderately increas- 
ing the actuation delay. Moreover, it is reasonably im- 
plementable since it requires simultaneous use of mixed 
TDMA and FDMA, which is standardized in existing 
communication protocols for wireless sensor networks such 
as WirelessHART and ISA-100. 

Using r/^, the system can be seen as the cascade M c of 
blocks as in Figure 7. The block Px? is characterized by 
the transfer function Pt<= (z) obtained by discretizing P(s) 
with sampling time T c as follows: 

P T .{z)= 4.2932 xlO- 9 " + 1 ; 18 4 9 9V 
(z + l)(z + 2) 

where the poles of Pr^(z) are p% = — 1 and p 2 = —2. The 
block Gtz models the dynamics introduced by the data 
flow through the network Gn, according to the applied 
scheduling 77^. 

The block Gtz is characterized by the transfer function 
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Fig. 7. Multi-path scenario interconnected system. 

Thus, when no failures occur, the zero z of G-r(z) does 
not coincide with any of the poles of Pt"{z). Assume that 
a failure occurs in the link (i>3, v 7 ) 1 denoted by the failures 
configuration fx. Then the following holds: 



h = {(v 3 ,v 7 )}=>Gfi(z) 



z h 



Thus, when the fault fx occurs the zero Zf 1 of G^(z) 
coincides with the pole px of Pt"(z). Assume that a 
failure simultaneously occurs in the links {v^,v 7 ) and 
(^5, v 7 ), denoted by the failures configuration /2. Then the 
following holds: 



h = {(va,vr), (v 5 ,v 7 )} G%{z) = ^±11 



Zf 2 



Thus, when the fault /2 occurs, the zero Zf 2 of (z) does 
not coincide with any of the poles of P T <,(z). Assume that 
a failure simultaneously occurs in the links {v 3l v 7 ) and 
(u2, v 7 ), denoted by the failures configuration f 3 . Then the 
following holds: 



h = {{vi,v 7 ),{v 2 ,v 7 )}^G%{z) 



5 Z T 5 



^3 



Thus, when the fault /a occurs the zero z/ 3 of G^(z) 
coincides with the pole p2 of Pt-=(z). Note that, according 
to a generic set of faulty edges / and to the weight function 
W-ji, some failures introduce dynamics in the block G^(z) 
that invalidate controllability of Pt<^{z). □ 

Example 2 motivates characterizing MCNs controllability 
conditions over the plant dynamics, the scheduling and the 
routing. We will address this problem in the next Section. 

4. STABILIZABILITY OF MCNS 

As discussed in Section 3, MCNs M can be modeled by 
the interconnection N of blocks as in Figure 3. 

Definition 4- We say that a MCN Af is controllable (resp. 
observable) if and only if N is controllable (resp. observ- 
able). Moreover, we say that N is stabilizable (resp. de- 
tectable) if and only if N is stabilizable (resp. detectable). 

Theorem 1. A MCN N is controllable if and only if the 
following hold: 

(f ) (A, B) is controllable; 

(2) Gtz is jointly connected by rm; 

(3) for each pole p of P T (z), £ ln{i)p D ^ 1 + 0; 

i=l 

(4) for each zero z of Pr(z), z ^ 0. 

Proof: (Sufficiency) Since Condition 1 states that the 
block Pt is controllable, we need to prove that Conditions 
2,3 and 4 imply that G-r(z) ^ 0, and that poles of Pt{z) 
and Gq{z) do not coincide with zeros of G-r(z) and Pt{z). 

We prove that Condition 2 implies that G-r(z) ^ 0. If Q-r 
is jointly connected by 777^ , then there exists at least one 
path p = v c , . . . , v u with W-r(p) > 0. Let 5-r(p) = i, with 
1 < i < \p\ < P > iz- Since Wn is positive definite, then 
7^(i) > W n (p) > 0. This implies that G n {z) ^ 0. 



We prove that Condition 3 implies that any zero of G-jz(z) 
does not coincide with any pole of Pt{z). We can write 
G-ji(z) as follows: 



G n (z) 



i=l 



-R 



Thus, p is a zero of G-jz(z) if and only if Condition 3 holds. 

Since G-r(z) can not contain zeros in and Go(z) only 
has poles in 0, then any zero of Giz(z) does not coincide 
with any pole of Gq{z). 

Since G-jz(z) only has poles in 0, Condition 4 implies that 
any zero of Pt[z) does not coincide with any pole of 
Gn(z). 

This completes the first part of the proof. 

(Necessity) For each condition, we assume that it is 
not satisfied, and prove that this implies that N is not 
controllable. 

Assume that Condition 1 is not satisfied, then clearly the 
system N is not controllable. 

Assume that Condition 2 is not satisfied. Since \tz = 
0, then 77j(i) = for each i s {1, . . .D-r}, and thus 
G-jz(z) = 0. This clearly implies that the system N is not 
controllable. 

Assume that Condition 3 is not satisfied, then there exists 
a zero of G-ji(z) that coincides with a pole of Pt{z). This 
clearly implies that the system N is not controllable. 

Assume that Condition 4 is not satisfied, then there exists 
a zero of Pt(z) that coincides with a pole of Go(z). This 
clearly implies that the system N is not controllable. ■ 

Note that controllability of (A, B) and connectivity of the 
controller and actuator nodes are necessary conditions, as 
suggested by the intuition, but they are not sufficient. 
In fact, the controllability scheduling may introduce dy- 
namics that invalidate controllability. This issue generates 
Conditions 3 and 4 of Theorem 1, that provide together 
with Conditions I and 2 necessary and sufficient control- 
lability conditions. 

Another interesting remark is that, in order to guaran- 
tee controllability, we do not need to design an ordered 
schedule, i.e. we can schedule links with any order. This is 
an interesting result, since it allows much more freedom in 
designing the scheduling. The main problem, as illustrated 
in Example 2, is the design of a weight function Wr such 
that Condition 3 of Theorem 1 is satisfied: we address 
and solve this issue in the following Section. Note that 
designing both a scheduling function tj-r and a weight 
function W-r that satisfy the conditions of the Theorem 1, 
corresponds to designing a scheduling and a multi-path 
routing of the communication protocol. 

The following corollary can be proved using the same 
reasoning as in the proof of Theorem 1. 
Corollary 1. A MCN is stabilizable if and only if the 
following hold: 

(1) (A, B) is stabilizable; 

(2) Qr_ is jointly connected by r\-R\ 

(3) for each pole p of Pt{z) such that \p\ > I, 

i=l 



By duality: 

Corollary 2. A MCN Af is observable if and only if the 
following hold: 

(1) (C, A) is observable; 

(2) Qq is jointly connected by r)o; 

(3) for each pole p of P T (z), £ 7o(i)p D °^ + 0; 

i=l 

(4) for each zero z of Pt{z), z^O. 

Corollary 3. A MCN A/" is detectable if and only if the 
following hold: 

(1) (C, A) is detectable; 

(2) £e> is jointly connected by r\o\ 

(3) for each pole p of Pt{z) such that |p| > 1, 

Do 

E 7o(»)p Do " ± 0. 

i=l 

5. FAULT TOLERANT STABILIZ ABILITY OF MCNS 

Given a MCN and a set / C Er, U Eq of communication 
links subject to a failure, we define a faulty MCN as 
follows: 

Definition5. Given MCN Af = (V, On, Vn, Go, Vo, A), 
let / C Er U Eq be a set of faulty links. We de- 
fine the faulty MCN A/} = CP,Gr.,Vr.^Go,Vo' A )> where 
Vfc G {l,...,n}, f]i(k) = m (k) \ (n n (k) n /) and 
r) f (V = Vo(k)\(r)o(k)nf). 

In other words, the faulty MCN A// is obtained by re- 
moving the faulty links from the schedules, while keeping 
the original radio connectivity graphs and the weight func- 
tions. 

Let T C 2 EkUE ° be a set of failures configurations. The 
empty set always belong to J 7 , and Af represents 
the MCN in absence of failures. As clearly illustrated in 
Section 4, the main issue in designing a MCN such that it 
is controllable even with link failures, is the choice of the 
weight function W-r. Since we are exploiting redundancy 
by static multi-path routing, we need to design a unique 
static weight function W-r (which implicitly defines the 
weight of each routing path) such that A// is controllable 
for each /e J. This problem is not trivial: as an example, 
notice that it is not always possible to arbitrarily assign the 
value W-ji(p) for each path of an acyclic graph that consists 
of more than 5 vertices, since the number of paths, which 
corresponds to the number of constraints, is greater than 
the number of edges, which corresponds to the number of 
free variables. 

The following Theorem provides necessary and sufficient 
conditions for guaranteeing, given a MCN and a set of 
failures configurations J 7 , the existence of a weight function 
W-jz such that A// is controllable for each / G T . The proof 
is constructive, and thus provides an algorithm to design 

w n . 

Theorem 2. Given a MCN Af and a faulty set J 7 , there 
exists a weight function Wr such that Aff is controllable 
for each / G J 7 , if and only if the following hold: 

(1) (A, B) is controllable; 

(2) for each /e J, Qr, is jointly connected by 7]^; 

(3) for each zero z of Pr(z), z ^ 0. 

Proof: The necessity is trivial, since if one of the above 
conditions is false then the MCN is not controllable for 



each weight function W-r. To prove the sufficiency, and 
since Conditions 1,2 and 4 of Theorem 1 are already 
satisfied by assumption, we need to provide an algorithm 
to design W-r. 

Pick any weight function W-r: e.g. we can pick a weight 
function as in Example 2 that equally weights all incoming 
edges to any vertex, i.e. such that for any vertex v of Qr 
the following holds: 

W G inc(v), Wr(v' , v) — - — Vtt- 

\inc(v)\ 

Given Qr = (Vr,E-r,W-r), tjr and J 7 , we define a non- 
empty set Er — {ei,...,e m } C Er and a partition 
°f J 7 as follows. 

Pick / e J and e\ G Er \ f. Assign Er — {ei} and define 
the set JF\ = {/ € T : e~\ £ /}. If J 7 ! = J 7 we stop the 
algorithm. Otherwise proceed with the algorithm applying 

K-1 

the following inductive AT-th step: pick / G J-\ \J Ti and 

i=l 

ex S Er^\{E-r\J f) . Assign Er, — ER,U{e~K} and define the 

set T K = {/ G J 7 \ K [J 1 J~i en 4- /}• If K (j Ti U T K = T 

i=i i=i 
we stop the algorithm. By iteration, we construct a set 
Er = {ei, . . . , e m } G Er such that the following hold: 

(1) the set {^i}™ i is a partition of J 7 , with 1 < m < 

m 

(2) for each e~i and for each / G [j J-j, then Si G /. 

Note that, since Qr is jointly connected by r]^, then for 
any iteration i, Ti has at least cardinality 1, and thus the 
algorithm terminates in a finite number of steps upper 
bounded by \T\. 

Define a weight function Wr( Zi ^ ..., Em ) where Vi = 
{l,...,m},W Kt(eu ..^ m) {ei)=W K (E i j+Ei, G K+. 

Let 7rc,/(i) be given by constructing (as in Proposition 1) 

the transfer function Gr.{z) from Qr and 77^. Condition 3 
of Theorem 1 requires that: 

D-r. 

^2lK,f m (i)p Dn ~' t + b pJm e m = a p j m + b pJm e m ^ 0, 

8 = 1 

(1) 

where V is the set of poles of Pt(z) and a p j m , b p j m are 
real constants. Note that for alH G {1, . . . , m — 1}, Ei does 
not appear in inequalities (1) since for each f m G T m , 
Gi G f m and thus the associated weight WR,{&i) does not 
appear in any path. Pick a value: 

e m GR + \ (J i-T^h 
pev,f m eJ r m p ' fm 

i.e. such that inequalities (1) are satisfied, and consider 
(ei,...,£ m _i,£ m )- Condition 3 of Theorem 1 requires that: 

Vp G V,Vf m -l G J 7 rn-lj 
D K 

^2lKj m - 1 (i)p DK ~'' + b pJm _ 1 e m - 1 +c m , p j m _ 1 e m 

i=l 

= a P,f m -i + b p j m _ l e m -i ^ 0, (2) 
where a p j m -i, b p j m _ 1 and c TOlPl / m _ 1 are real constants. 
Note that for all i G {1, . . . , m — 2}, £j does not appear 



in inequalities (2) since for each f m -i G J- m -\, G f m —i 
and thus the associated weight W-nifii) does not appear in 
any path. Pick a value: 



U P,fm-l 



i.e. such that inequalities (2) are satisfied, and consider 
W / R,(ei,...,£ m - 2 ,£m-i,£m)' By iteration, after m — 1 steps we 
define Wk i ( £1i e 2 , g m ). Condition 3 of Theorem 1 requires 
that: 

y^7TC,/i(»)p £>TC ~ t + ^p,/i£l + C2,p,h^2 + ■ • ■ + Cm,pJ x e m 
i=l 

= a pJi + b pJi £ i ^ 0, (3) 
where a p ,/i, frp^ and 02^^ , . . . , c m>p j x are real constants. 
Pick a value: 



J 7 = {0,/a}. As already illustrated in Example 2, when 
the fault /3 occurs in the links (^3,^7) and (v2,Vi), then 
the zero Zf 3 = —2 of G^(z) coincides with the pole P2 
of Pt"(z), and the MCN A/"/ 3 becomes uncontrollable. 
Applying Theorem 2, it is possible to replace the weight 
Wiz(v4, V7) by W-jz(v4, vj) = Wn(v4, vt)+0.1, so that both 
A/0 and A// 3 are controllable and observable. 

Consider the system A/", that models the dynamical behav- 
ior of the network in case of failures. Af can be modeled 
by a hybrid system as defined in Balluchi et al. (2002), 
where the discrete-time dynamics switches from the non- 
faulty behavior A/0 to the faulty behavior A// 3 and vice- 
versa. We define a minimum dwelling time r for A/", such 
that the time duration between two consecutive changes 
of dynamics of Af can not be smaller than r. 



£i G 



^ + \u P {-^}, 
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u(kTJ 



fM- 



y(kT c ) 



i.e. such that inequalities (3) are satisfied, and consider 

m 

W ;: R.,(e 1 ,...,£ TO _i,e m )- It is clear that, for each / G (J J"i = J 7 , 

A// satisfies Condition 3 of Theorem 1. This implies that Fig. 8. Control scheme for the faulty MCN Af. 
for each / G J 7 , Aff is controllable. Assigning Wr 



W- 



-i,e m ) concludes the proof. 



In the particular case J 7 = {0}, Theorem 2 provides 
necessary and sufficient conditions for guaranteeing, given 
a non- faulty MCN A/0 , the existence of a weight function 
Wr such that A/0 is controllable, thus solving the design 
problem defined in the previous Section. 

The following corollary can be proved using the same 
reasoning as in the proof of Theorem 2. 

Corollary 4- Given a MCN Af and a faulty set J 7 , there 
exists a weight function W-jz such that A/ is stabilizable 
for each / G J 7 , if and only if the following hold: 

(1) {A,B) is stabilizable; 

(2) for each / G J 7 , Gn is jointly connected by 77^. 
By duality: 

Corollary 5. Given a MCN Af and a faulty set J 7 , there 
exists a weight function Wo such that Aff is observable 
for each / G J 7 , if and only if the following hold: 

(1) (C, A) is observable; 

(2) for each / G J 7 , Go is jointly connected by r\ ; 

(3) for each zero z of Px(z), z ^ 0. 

Corollary 6. Given a MCN Af and a faulty set J 7 , there 
exists a weight function Wo such that Aff is detectable for 
each / G J 7 , if and only if the following hold: 

(1) (C,A) is detectable; 

(2) for each / G J 7 , Go is jointly connected by r] . 

6. EXAMPLE: STABILIZATION OF A FAULTY MCN 

Given the MCN Af = (P,Giz,Vk,Go,Vo, A) defined in 
Example 2, we show that the methodological results de- 
veloped in this paper allow co-design of control algorithms 
and communication parameters for stabilizing a MCN. For 
clarity of presentation and without loss of generality, we 
assume that the set of failures configurations only takes 
into account the fault ^3 = {(1*3, ^7), (U2, ^7)}, namely 



In order to stabilize the closed loop system as depicted 
in Figure 8, we need to design a controller C. However, 
it is not easy to guarantee the existence of a unique 
controller C by means of a discrete-time SISO LTI system, 
such that the switching dynamics of the closed loop Af 
is stable. In order to design a stabilizing controller C, 
we apply classical methodologies for eigenvalue placement 
to define a controller C0 for the non-faulty system A/0, 
and a controller C/ 3 for the faulty system Aff 3 . Since we 
designed the weight function Wn so that A0 and A// 3 
are controllable and observable, the existence of C0 and 
Cf 3 is guaranteed. In order to decide for each time instant 
what control algorithm we have to apply to Af, we need a 
strategy to detect on-the-fly, and only using the input and 
output of Af, whether the current dynamics are non- faulty 
A/0 or faulty Aff 3 . 

As illustrated in Figure 9 we used the hybrid observer 
techniques developed in Balluchi et al. (2002) and Balluchi 
et al. (2005), which allow to construct a residual generator 
dynamical system able to detect the current dynamics of 
the system Af. The stability of the control scheme which 
exploits the residual generator is guaranteed to be stable, if 
the faulty and non-faulty dynamics switch with a dwelling 
time r that is sufficiently smaller than the plant dynamics. 
This assumption is reasonable in our case study, since we 
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Fig. 9. Block diagram of the controller C. 
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Fig. 10. Simulations results. 

consider link lailures (e.g. due to battery discharge of a 
node), and thus characterized by rare occurrence. 

We implemented the closed loop system in Simulink and 
performed the simulations in Figure 10, which show that 
when the dynamics of J\f switches, the controller detects 
the change of dynamics and applies the appropriate stabi- 
lizing control law. 

7. CONCLUSIONS 

This work provides a novel methodology to design schedul- 
ing and routing of a communication network in order to 
preserve controllability and observability, for any set of 
failures configurations that at least preserve connectiv- 
ity within the scheduling period between the controller 
and the plant, and vice-versa. In Section 6 we showed 
that the configuration of scheduling and routing, together 
with the classical methodologies for eigenvalues placement, 
represent a novel co-design methodology of the network 
parameters and of the control algorithm for multi-hop 
control networks. 

In future extensions of this paper, we aim to address 
the same problem for MIMO systems. Moreover, we will 
address the issue of introducing dynamical routing in our 
model, and performing an optimal choice of scheduling 
and weight functions. Another interesting problem to be 
addressed is guaranteeing the existence of a unique LTI 
controller of a MCN, that guarantees stability of the 
closed loop although the switching dynamics introduced 
by failures. 
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